The postings on this site solely reflect the personal views of each author and do not necessarily represent the views, positions, strategies or opinions of IBM or IBM management. IBM reserves the right to remove content deemed inappropriate.

There are few industries untouched by multiple regulations; businesses contend with regulations that control their accounting, IT security, operations, and so on and so forth – in addition to those that are sector specific. But all of this is for the good of the industry and to protect consumers.

If regulations are there for our own protection, why is there so much complaint about them? I’m sure that every now and then there are companies who feel that having to be compliant gets in the way of an “easier” way to run a business, to do accounting, to "do" security… But this isn’t the real issue: the true struggle is having to demonstrate compliance to auditors in order to avoid the consequences ranging from steep fines to seeing your business shut down. So, the million dollar question is, why does it have to be so complicated to demonstrate compliance?

When it comes to an IT security audit, the easiest questions only require showing that certain actions take place-- that actions are logged, that logs are collected, that backups are made, that there is a DRP, etc. The slightly more complex query will focus on proving that companies can stop events that shouldn’t happen; for example, that unauthorized users actually don’t have access to documents, that cyber-attacks are detected and blocked, that compromised systems are identified and cleaned, that logs cannot be manipulated or deleted without alerts triggering. The top of the chart goes to questions that require analysis of the security settings, such as showing the consistency among the access policies on all applications, among the firewall policies, and among the intrusion prevention policies.

The higher the complexity, the longer it takes a company to prove compliance to an auditor; I have seen companies spending several man-months to be able to show compliance. It is obvious that when the process takes that long it becomes very expensive and can impact the revenue margins of any company, in particular because the process of proving compliance is recurring and not a one-time expenditure.

So what can be done to handle this task simpler and cheaper? Two things: automation and security intelligence.

We all know replacing manual processes with automation can be a huge money saver, not only because automation usually works much faster but also because it standardizes the steps making it much simpler to prove compliance. For example, automating the collection of logs allows you to set triggers that will alert you when it doesn’t happen, catching two birds with one stone. The automation of the identity provisioning not only ensures that the correctly configured access rights are assigned but also helps speeding the process and enables employees to become productive much faster.

Security Intelligence is the glue that gives a meaning to the millions or even billions of events that can be generated by an IT infrastructure. When there are billions of log entries, how can a company state they know what is going on if they don’t have a security intelligence solution that not only collects the data but also correlates it in order to identify events and incidents, and enable the security staff to inspect and understand the bigger security picture rather than what point products can collect? The beauty of a security intelligence solution doesn’t only lie in making the security staff’s life easier, but also in the availability of reports that allow both the monitoring and demonstration of compliance. Monitoring compliance allows companies to quickly identify events that can prove costly, for example a configuration change, access to confidential information, etc.; demonstrating compliance allows companies to save the man-months that they are currently spending to run a manual process--repeatedly.

Do you want to take it a step further? Wouldn’t it be great to test the impact of a policy change rather than applying it and monitoring events to identify incidents or loss of compliance? That is possible and is exactly what risk management can do. This new frontier brings companies to be pre-emptive rather than reactive; instead of showing the auditors that they are able to detect security issues and fix compliance issues, companies can show that they verify the policies before applying them, making it even easier and less costly to abide by regulation and prove compliance, while reducing the risk of security incidents.

Read more on meeting PCI DSS requirements—even in virtual environments.

About the author:

Jean Paul Ballerini is a member of the World Wide Security Sales Enablement Team since January 2010. Prior, he was the Technical Sales Lead for IBM’s South West Europe region after having covered the role Senior Technology Solutions Expert for IBM Internet Security Systems for the previous six years. Since 2003, Ballerini has also served as the EMEA spokesperson for the X-Force, the IBM security research and development team.

He also holds a PhD in Computer Science and Law. In 2005 Ballerini became a CISSP, and since 2007 has also served as a Qualified Security Assessor for the Payment Card Industry. In June 2008 he was appointed an IBM certified Senior Technical Staff Member.